Data Privacy Compliance With India’s DPDP Act of 2023

India’s rapidly-evolving technology landscape may have reached a significant milestone with the introduction and subsequent enactment of the Digital Personal Data Protection (DPDP) Bill, 2022. The Union Cabinet approved this pivotal legislation on 5 July 2023. On 20 July, 2023, the bill was presented during the ongoing Monsoon Session of Parliament. It swiftly passed through the legislative process, receiving approval in the lower house (Lok Sabha) on 7 August and in the upper house (Rajya Sabha) on 9 August. The DPDP Bill, 2022, officially became the Digital Personal Data Protection Act after receiving the President’s assent on 11 August 2023 (official Gazette notification by the Government of India—DPDP Act).

The DPDP Act now stands as a crucial component alongside the Digital India Bill and the draft Indian Telecommunication Bill of 2022, addressing the governance of personal data in India. Collectively, these legislative efforts represent a significant stride towards bolstering data protection in the country’s swiftly-evolving digital landscape.

At its core, the DPDP Act establishes a higher level of accountability and responsibility for entities operating within India This includes internet companies, mobile apps, and businesses involved in the collection, storage, and processing of citizens’ data. With a strong emphasis on the right to privacy, this legislation seeks to ensure that these entities operate transparently and are answerable when it comes to handling personal data, thus prioritizing the privacy and data protection rights of Indian citizens.

The DPDP Act’s scope extends beyond the borders of India, encompassing digital personal data processing activities abroad. This extension applies specifically to organizations offering goods or services to individuals in India or engaging in the profiling of Indian citizens. In doing so, the Act fortifies data protection measures not only within India but also concerning Indian citizens’ data handled abroad.

Key Provisions of India’s DPDP Act of 2023

Initially introduced in 2019, the DPDP Act holds considerable importance as a legislative measure aimed at safeguarding individuals’ privacy rights. Its primary focus lies in regulating the collection, storage, processing, and transfer of personal data in the digital landscape. The DPDP Bill underwent 81 amendments after its initial introduction, resulting in a comprehensive overhaul to its present form.

By prioritizing privacy and security, the DPDP Act strives to create a robust framework that addresses the challenges posed by data handling in the digital age. Key provisions of the DPDP Act of 2023 include the following:

• Definitions: Although many concepts in the DPDP Act closely resemble those found in the EU’s General Data Protection Regulation (GDPR) framework, there are differences in how terminology is used, like the following:

1. Data fiduciary: This refers to the entity that, either independently or in collaboration with others, establishes both the purpose and the methods for processing personal data (like a data controller). The government can classify any data fiduciary or a specific group of data fiduciaries as significant data fiduciaries (SDFs). The criteria for classification as an SDF include the nature of processing activities, such as the volume and sensitivity of personal data involved and the potential impact on data principals’ rights, to broader societal and national concerns such as the potential effects on India’s sovereignty and integrity, electoral democracy, state security, and public order. The designation of SDF comes with heightened compliance obligations (see the additional obligations of SDFs below).
2. Data processor: This is an entity responsible for processing digital personal data on behalf of a data fiduciary.
3. Data principal: These are individuals whose personal data is gathered and processed (equivalent to a data subject).
4. Consent manager: A person registered with the Data Protection Board, who acts as a single point of contact to enable a Data Principal to give, manage, review, and withdraw their consent through an accessible, transparent, and interoperable platform.

• Applicability: The DPDP Act applies to all data—whether originally online or offline and later digitized—in India. Additionally, the Act applies to the processing of digital personal data beyond India’s borders, particularly when it encompasses the provision of goods or services to individuals within the Indian territory.

Age verification mechanisms will be necessary for all companies in India (telcos, banks, e-commerce, etc.) under the new DPDP law, according to The Economic Times. The compliance requirement is not just limited to social media platforms. This is essential to record the verifiable consent of users per legal experts.

• Personal data breach: This means any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data, that compromises the confidentiality, integrity, or availability of personal data.

• Individual consent to use data and data principal rights: Under the new legislation, personal data will be included and processed only with explicit consent from the individual, unless specific circumstances pertaining to national security, law, and order require otherwise.

Individuals also have the right to information, the right to correction and erasure, the right to grievance redressal, and the right to nominate any other person to exercise these rights in the event of the individual’s death or incapacity. Currently, there is no specified timeline for the implementation of grievance redressal and data principal rights.

• Additional obligations of SDFs: Depending on the quantity and sensitivity of the data they manage—data fiduciaries deemed as SDF—are subject to additional obligations under the DPDP Act. Every significant data fiduciary is required to appoint a data protection officer (DPO) responsible for addressing the inquiries and concerns of data principals whose data is collected and processed. Regarding international data transfers, the DPDP Act permits data fiduciaries to transfer personal data for processing to any country or territory outside India. However, the central government can impose restrictions through notifications. These restrictions will be determined after assessing relevant factors and establishing necessary terms and conditions to ensure the maintenance of data protection standards during international processing.

• Establishment of a Data Protection Board: The Data Protection Board will function as an impartial adjudicatory body responsible for resolving privacy-related grievances and disputes between relevant parties. As an independent regulator, it will possess the authority to ascertain instances of noncompliance with the Act’s provisions and impose penalties accordingly. The appointment of the chief executive and board members of the Data Protection Board will be carried out by the central government, ensuring a fair and transparent selection process. To provide an avenue for customers to challenge decisions made by the Board, the government will establish an appellate body. This appellate body may be assigned to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), which will be responsible for adjudicating disputes related to data protection and hearing appeals against the decisions made by the Board.

• Voluntary undertaking: Under this provision, the Data Protection Board has the authority to accept a voluntary commitment related to compliance with the DPDP Act’s provisions from any data fiduciary at any stage of complaint proceedings. This voluntary undertaking may entail specific actions to be taken or refrained from by the concerned party. Furthermore, the terms of the voluntary undertaking can be modified by the Board if necessary. The voluntary undertaking serves as a legal barrier to proceedings concerning the subject matter of the commitment unless the data fiduciary fails to adhere to its terms. In the event of noncompliance, such a breach is considered a violation of the DPDP Act, and the Board is authorized to impose penalties for this infringement. Additionally, the Board has the discretion to require the undertaking to be made public.

• Alternate disclosure mechanism: This mechanism will allow two parties to settle their complaints with the help of a mediator.

• Offence and penalties: Data fiduciaries can face penalties of up to INR 2.5 billion for failing to comply with the provisions. These include: penalties of up to INR 10,000 for breach of the duty towards data principals; penalty up to INR 2.5 billion for failing to take reasonable security safeguards to prevent breach of personal data; fines up to INR 2 billion for failure to notify the Data Protection Board and affected data principals in case of a personal data breach; penalties of up to INR 2 billion for violation of additional obligations related to children’s data; penalty of INR 1.5 billion for failure to comply with additional obligations of significant data fiduciary; and penalty of INR 500 million for breach of any other provision of the DPDP Act, 2023 and rules made thereunder.

• Conflict with existing laws: The provisions of the DPDP Act will be in addition to and not supersede any other law currently in effect. However, if there is any conflict between a provision of the DPDP Act and a provision of another law in effect, the provision of the DPDP Act takes precedence to the extent of such conflict.

Exemptions Under the DPDP Act

The exemptions provided in the DPDP Act are as follows:

• For notified agencies, in the interest of security, sovereignty, public order, etc.
• For research, archiving, or statistical purposes
• For start-ups or other notified categories of data fiduciaries
• To enforce legal rights and claims
• To perform judicial or regulatory functions
• To prevent, detect, investigate, or prosecute offences
• To process in India personal data of nonresidents under foreign contract
• For approved merger, demerger, etc.
• To locate defaulters and their financial assets, etc.

Company Compliance Under the DPDP Act

By following the below steps, companies can prepare for compliance with India’s DPDP Act and protect personal data in line with regulatory guidelines:

Assess and build data privacy:

• Evaluate current compliance status
• Create a phased action plan covering governance, technology, people, and processes
• Establish a privacy organization with defined roles, including the DPO, especially if your entity’s status is an SDF

Inventory personal data systems:

• Identify critical data storage and processing systems

Identify data processors:

• List third parties handling personal data
• Update agreements and communicate responsibilities

Create DPDP Act-compliant documents:

• Create approved data privacy policies and processes
• Update necessary documents
• Develop privacy notices, consent forms, and standard contract clauses

Design consent mechanisms:

• Define consent types
• Develop user-friendly consent processes
• Implement efficient consent management tools

Establish data principal rights handling:

• Set up processes for addressing data principal rights
• Develop procedures for request handling
• Use tools for efficient rights management

Implement data breach response:

• Create breach management processes
• Integrate with incident management

Define data retention periods:

• Categorize data and align retention periods with requirements

Evaluate and implement privacy technologies:

• Choose suitable tech solutions
• Assess compatibility and scalability
• Implement chosen solutions

Conduct communication and awareness programs:

• Develop plans and materials
• Launch awareness initiatives
• Provide training to stakeholders

Monitor government notifications:

• Stay updated on central government notifications and any forthcoming rules under the DPDP Act
• Take necessary actions based on government directives

Global Data Protection Models

The following are the global data protection models (also see “Data Protection and Privacy Legislation Worldwide” figure):

• European Union (EU) model: The EU’s GDPR imposes stringent requirements on organizations to ensure the careful safeguarding of personal data and demands evidence of such protection. The GDPR establishes rigorous standards for obtaining consent, empowering customers to exercise control over how their data is handled and protected. Widely acknowledged as a ground-breaking and crucial legislative framework, the GDPR offers valuable guidance to countries in defining the fundamental rights and responsibilities that should be integrated into their own data protection laws. Its primary objective is to effectively respond to the challenges posed by our increasingly digital and interconnected world.
• United States (U.S.) model: The U.S. model emphasizes safeguarding an individual’s personal privacy from government intrusion. It permits the collection of personal information, provided that the individual is made aware of such data collection and its intended use. Unlike some other countries, the U.S. does not have a single data protection regulation; instead, it has a combination of laws at both the federal and state levels that are designed to protect the data of its residents.
• China model: The Personal Information Protection Law (PIPL) introduces enhanced rights for data principals in China, aiming to curb the improper usage of personal data. The law encompasses key notions, such as personal information, sensitive personal information, and processing. Notably, it explicitly defines its jurisdiction beyond national borders. The PIPL incorporates fundamental elements of data protection, including principles governing the processing of personal information, provisions for consent and non-consent-based grounds for processing, mechanisms for cross-border data transfers, and the rights of data subjects.